On March 4^th we spotted a large number of unusual emails being blocked by our Linux Mail Security product. The emails all contained the same PDF attachment (MD5: 97b720519aefa00da58026f03d818251) but were being sent from many different source addresses.

The emails were written in German and most were sent from German IP addresses. Below is a map showing the distribution of addresses:

The computer names referenced in the mail headers were often of the form Andreas-PC or Kerstin-Laptop (the names have been changed to protect the innocent) suggesting that they had been sent from German home computers.

This is the topic that cybercriminals are speculating about and using as a hook to infect victims. The campaign stems from malicious emails that are sent in bulk to victims:

=== Not really, especially in Latin America. Every day we register lots of similar attacks, each abusing local DNS settings. Actually these attacks are a bit different because they modify the local HOST file but the principle is the same – redirecting the victim to a malicious host via malicious DNS records.

Latin American cybercriminals are used to recycling old techniques used elsewhere in the past and what is happening right now is a growth of attacks abusing local DNS settings. The latest social engineering-based malware attack in Mexico – which imitated the Mexican tax office – is a recent example of this.

    Carolina Dieckmann, a famous Brazilian actress, recently became the victim of cyber attacks that allowed cybercriminals to steal personal property - nude pictures of her- from her computer. Many pictures or maybe all of them got leaked to the Internet. This incident has served as a good incentive for the Brazilian government to have new cybercrime laws in the country (the current law to fight cybercrime in Brazil was approved back in the 40’s of XX century). As a result of this incident, a new cybercrime law that carries a punishment of up to 2 years in prison for such crimes has finally been proposed for consideration. This is a good and right move! A press article in Portuguese can be

At the end of 2010 I noticed a big wave of recruitment spam for money mule work. Initially, the criminals used spam sent from hacked email accounts. I even got some messages like this from people I know personally:

Right after that, to speed-up the recruitment process, the messages came via Windows Live Messenger (aka MSN):

And of course, the criminals also used legitimate accounts that had been hacked to spread their messages. Finally, right before the end of the year I saw a big campaign on Facebook, especially targeting Spanish speaking communities. But yesterday I was completely surprised when I found an advertising banner on a legitimate IT site leading to the same page – money mule recruitment.

All these developments make think there is a huge demand on the black market for money mule workers. The criminals seem to have enough stolen information like credit card PINs, as well as details for online banking accounts and payment systems. Their problem now is how to launder the money they have made. Our statistics confirm there is a clear growth in Trojan-Spy malware able to steal any kind of personal information. This includes well known Trojans like Zbot (Zeus) or SpyEye.

It’s worth remembering that money mule activity is considered illegal. Basically, if nobody wanted to launder their money, cybercriminals would find it much harder to make money from stolen account details. Everyone can contribute in their own way to the global security, not just AV and other Security companies.

Today my colleague Jorge Mieres found some interesting information related to the new HLux botnet.

This new worm is propagating via e-mail with a backboned administration through a crimeware pack called BOMBA. The scam messages come with a message to a fake eCard requiring installing Flash Player (an old scammers trick).

 
After the infection, the newly installed malware downloads a malicious update which is detected by Kaspersky as Email-Worm.Win32.Hlux.c and establishes a connection with BOMBA’s server reporting statistics about the infection.

 
Our statistics for Jan 5 show countries with the highest infection attempts are the U.S., Germany and the U.K.
 

We’ll keep researching this issue and will keep you updated.

We're raising our threat level by a notch. Not something that we do as often as we used to. There are several reasons for this decision, but one of them really stands out.

We've identified a worm called VBMania. This might not sound like anything much, but in contrast to most worms today, it spreads via email. Real old school. Additionally, it works on the the principle of "download and run".

The worm spreads by sending emails from the infected computer. The messages have a subject line of "Here you have" and random text such as "This is The Free Dowload Sex Movies,you can find it Here". Of course, the messages also include a link to a file on the Internet.

Click on the link, save and run the file and voila - your machine is infected.

In spite of this primitive propagation routine, the worm is pretty active, and currently sending out significant amounts of mail.

Because of this, and also because there's been a lot of news about this worm flying around, we've decided to raise the threat level with the aim of informing as many people as possible.

The worm's written in Visual Basic, and our products detect it proactively using heuristics as Suspicious:HEUR:Trojan.Win32.Generic.

Last night we also added signature detection (Trojan-Win32.Swisyn) which we're going to rename to Email-Worm.Win32.VBMania.

UPDATE:As of 1600 GMT, all the malicious worm files which were located on members.multimania.co.uk had been deleted. This means the worm won't be able to propagate further. However, infected computers will continue to send emails until they're disinfected.

While analysing the worm we also identified an earlier variant - Trojan.Win32.Swisyn.ajgd. It was first detected in August this year, had similar functionality, and was also spread from the member areas on members.multimania.co.uk and lycos.co.uk.

Many people today send and receive e-mails in HTML format. It's nice to look at, you can format it easily, you can add pictures and more. In fact, when you read an HTML e-mail, you're effectively reading a web page ... and therein lies the problem!

There's no shortage of vulnerabilities in IE, many of which have been exploited by viruses, worms and Trojans over the last few years. And the 'lead-time' between the discovery of a vulnerability and the appearance of an exploit that targets it has become progressively shorter.

So HTML is intrinsically insecure. Even if an HTML e-mail looks like regular text, it may be more than that. It's possible to embed script within it that will execute automatically [including exploit instructions]. This may harm your machine directly or leave it open to attack.

Recent reports suggest that 'phishers' have started to make use of HTML e-mails. In a 'classic' phishing scam, the user receives an e-mail that is made to look like it has come from their bank. There's a link to a web site that's designed to look like their bank's web site. The user is prompted to input their personal details, which are then captured by the phisher. Of course, in order to succeed, the scam requires an unsuspecting user to click on the link and enter their details.

Now, however, it seems that phishers are trying to 'cut out the middleman' and launch the fraudulent web site automatically. This is done by sending an HTML e-mail containing hidden script instructions designed to edit the user's hosts file. So when they next try to access their bank, they are re-directed to the fraudulent web site.

One more reason to use plain text e-mail, rather than HTML, and to disable scripting on your machine.